Double-header: Windows Recovery, then XP Home Security2011 infection

LewdOod · May 4, 2011

OK -- I've been sitting here waiting to post my issues for this, but I'm still waiting (three hours later) for GMER to finish. Before I stop it and create and save the ark.txt file regardless, should I either keep waiting this thing out or should I stop it and re-scan (I'll probably need to do it in safe mode, as explained below)? Please let em know ASAP and I'll do as you suggest. I have everything else ready to go, though, so here's my explanation of my problems and the other info you guys need, sans GMER results.

I'm here til this thing gets fixed, so I'd appreciate it if whoever assists me has the time to sit here and work it out with me until it's good (it's my work computer, so I really need to get the thing clean ASAP).

THANKS!!!!

-----------------

Hey there -- Here's my deal.

I work from home, left my HP desktop running XP Pro on over the weekend. When I left it Friday it was fine. When I resumed working Monday it started out fine then I was hit by all of the symptoms of the "Windows Recovery" virus. My last system acan from Symantec was last Monday, no issues were found, but I think I may have been duped into clicking a fake java or flash update since then, which dl'd the virus.

Anyway, I manually deleted the files and registry details for Windows Recovery as suggested elsewhere, and used unhide.exe to re-display everything.

Then I started experiencing the symptoms of XP Home Security. I looked for the files to manually remove for this one and couldn't find any. I created and ran the fix.reg file suggested elsewhere. That seemed to stop the pop-up alerts and has prevented the "viw.exe" process from auto-launching (this was tied to the "XP Home Security 2011" popups).

Still, in normal mode my system is slower than molasses, so slow it wouldn't even allow me to run MBAM (it would hang during initial enumeration). So I had to restart in safe mode w/ networking, updated MBAM, and ran quick scan in safe mode (details below).

I'm almost sure there are rootkits embedded in my system, and I need your help to cleanse this thing.

FYI -- since Monday I have used the following AV tools:

Monday AM -- MBAM (because my Symantec Pro wouldn't load; although, great work it did in preventing this stuff in the first place...); MBAM found a number of issues and I removed all files listed

Monday afternoon -- Symantec Pro (nothing found)

Monday evening / overnight -- PC Tools Spyware Doctor w/AV; Found a number of issues but I didn't know it wouldn't clean them without a registration fee; I have the scan results if you'd like to see them, though (10 infections & about 670 other issues)

I was on the road Tuesday away from the unit...

Tuesday overnight -- Avast full scan (nothing found)

Wed. morning -- MBAM (again)in prep for this posting

Still getting Internet Explorer script errors associated with the viruses, and like I said, this thing is now horribly slow. Not sure about random audio because I muted my speakers (the audio just creeps me out).

Remember, it's a heck of a lot faster for me to do things in safe mode, so if you know how I can cleann this bugger without having to enter normal mede, we'll be done a lot quicker.

Help me Obi Wan Kenobi.... You're my only hope!

*** MalwareBytes log file ***

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6504

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5-4-2011 11:00:37 AM

mbam-log-2011-05-04 (11-00-37).txt

Scan type: Quick scan

Objects scanned: 189334

Time elapsed: 24 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\sharpej\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\sharpej\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\sharpej\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by sharpej at 11:23:58.04 on Wed 05-04-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.191 [GMT -4:00]

.

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\SatSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uDefault_Page_URL = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Google Update] "c:\documents and settings\sharpej\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 91.212.65.122 browser-security.microsoft.com

Hosts: 91.212.65.122 spyware-protector-2009.com

Hosts: 91.212.65.122 www.spyware-protector-2009.com

Hosts: 91.212.65.122 secure.spyware-protector-2009.com

Hosts: 91.212.65.122 knocker

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-5-2 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-5-2 338880]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-3 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-3 307288]

R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-3 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-3 42184]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

R2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-2 38224]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-5-2 366840]

S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-5-2 1150936]

.

=============== Created Last 30 ================

.

2011-05-04 02:42:37 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-04 02:39:39 40112 ----a-w- c:\windows\avastSS.scr

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:18:21 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2011-05-03 03:18:21 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys

2011-05-03 03:18:20 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2011-05-03 03:18:03 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2011-05-03 03:18:03 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-05-03 03:17:44 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:17:23 -------- d-----w- c:\program files\common files\PC Tools

2011-05-03 03:17:23 -------- d-----w- c:\docume~1\sharpej\applic~1\PC Tools

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

2007-07-10 21:36:11 697492 -c----w- c:\program files\uTorrent-1.6.1-install.exe

2007-07-10 21:35:49 177152 -c----w- c:\program files\utorrent.exe

.

============= FINISH: 11:26:59.42 ===============

*** GMER ***

still waiting... *sigh*

Attach.zip

LewdOod · May 4, 2011

GMER just ended (hooray!) -- Here's the ARK.txt...

ark.zip

screen317 · May 4, 2011

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (Spyware Doctor and avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Next, please update MBAM, run a Quick Scan, and post its log. Next, run DDS again and post DDS.txt in your reply.

LewdOod · May 4, 2011

Here you go -- MBAM & DDS. MBAM detected no malicious items...

*** MBAM #2 ***

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6504

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5-4-2011 5:12:22 PM

mbam-log-2011-05-04 (17-12-22).txt

Scan type: Quick scan

Objects scanned: 191243

Time elapsed: 18 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by sharpej at 17:14:47.23 on Wed 05-04-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.176 [GMT -4:00]